{"id":1803,"date":"2026-03-10T11:04:13","date_gmt":"2026-03-10T11:04:13","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/"},"modified":"2026-03-10T11:04:13","modified_gmt":"2026-03-10T11:04:13","slug":"beatbanker-a-dual-mode-android-trojan","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/","title":{"rendered":"BeatBanker: A dual\u2011mode Android Trojan"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10080849\/SL-BeatBanker-featured-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<p>Recently, we uncovered BeatBanker, an Android\u2011based malware campaign targeting Brazil. It spreads primarily through phishing attacks via a website disguised as the Google Play Store. To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking Trojan capable of completely hijacking the device and spoofing screens, among other things. In a more recent campaign, the attackers switched from the banker to a known RAT.<\/p>\n<p>This blog post outlines each phase of the malware\u2019s activity on the victim\u2019s handset, explains how it ensures long\u2011term persistence, and describes its communication with mining pools.<\/p>\n<h2 id=\"key-findings\">Key findings:<\/h2>\n<ul>\n<li>To maintain persistence, the Trojan employs a creative mechanism: it plays an almost inaudible audio file on a loop so it cannot be terminated. This inspired us to name it BeatBanker.<\/li>\n<li>It monitors battery temperature and percentage, and checks whether the user is using the device.<\/li>\n<li>At various stages of the attack, BeatBanker disguises itself as a legitimate application on the Google Play Store and as the Play Store itself.<\/li>\n<li>It deploys a banker in addition to a cryptocurrency miner.<\/li>\n<li>When the user tries to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor\u2019s transfer address.<\/li>\n<li>New samples now drop BTMOB RAT instead of the banking module.<\/li>\n<\/ul>\n<h2 id=\"initial-infection-vector\">Initial infection vector<\/h2>\n<p>The campaign begins with a counterfeit website, <em>cupomgratisfood[.]shop<\/em>, that looks exactly like the Google Play Store. This fake app store contains the \u201cINSS Reembolso\u201d app, which is in fact a Trojan. There are also other apps that are most likely Trojans too, but we haven\u2019t obtained them.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06171740\/beatbanker-miner1.png\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter size-full wp-image-119124\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06171740\/beatbanker-miner1.png\" alt=\"\" width=\"1382\" height=\"511\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06171740\/beatbanker-miner1.png 1382w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06171740\/beatbanker-miner1-300x111.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06171740\/beatbanker-miner1-1024x379.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06171740\/beatbanker-miner1-768x284.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06171740\/beatbanker-miner1-947x350.png 947w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06171740\/beatbanker-miner1-740x274.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06171740\/beatbanker-miner1-757x280.png 757w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06171740\/beatbanker-miner1-800x296.png 800w\" sizes=\"(max-width: 1382px) 100vw, 1382px\"><\/a><\/p>\n<p>The INSS Reembolso app poses as the official mobile portal of Brazil\u2019s Instituto Nacional do Seguro Social (INSS), a government service that citizens can use to perform more than 90 social security tasks, from retirement applications and medical exam scheduling to viewing CNIS (National Registry of Social Information), tax, and payment statements, as well as tracking request statuses. By masquerading as this trusted platform, the fake page tricks users into downloading the malicious APK.<\/p>\n<h3 id=\"packing\">Packing<\/h3>\n<p>The initial APK file is packed and makes use of a native shared library (ELF) named\u00a0 <em>libludwwiuh.so<\/em> that is included in the application. Its main task is to decrypt another ELF file that will ultimately load the original <a href=\"https:\/\/en.wikipedia.org\/wiki\/Dalvik_(software)\" target=\"_blank\" rel=\"noopener\">DEX<\/a> file.<\/p>\n<p>First, <em>libludwwiuh.so<\/em> decrypts an embedded encrypted ELF file and drops it to a temporary location on the device under the name <em>l.so<\/em>. The same code that loaded the <em>libludwwiuh.so<\/em> library then loads this file, which uses the Java Native Interface (JNI) to continue execution.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172504\/beatbanker-miner2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119125\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172504\/beatbanker-miner2.png\" alt=\"\" width=\"1961\" height=\"2212\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172504\/beatbanker-miner2.png 1961w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172504\/beatbanker-miner2-266x300.png 266w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172504\/beatbanker-miner2-908x1024.png 908w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172504\/beatbanker-miner2-768x866.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172504\/beatbanker-miner2-1362x1536.png 1362w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172504\/beatbanker-miner2-1816x2048.png 1816w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172504\/beatbanker-miner2-310x350.png 310w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172504\/beatbanker-miner2-740x835.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172504\/beatbanker-miner2-248x280.png 248w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172504\/beatbanker-miner2-798x900.png 798w\" sizes=\"auto, (max-width: 1961px) 100vw, 1961px\"><\/a><\/p>\n<h3 id=\"l-so-the-dex-loader\">l.so \u2013 the DEX loader<\/h3>\n<p>The library does not have calls to its functions; instead, it directly calls the Java methods whose names are encrypted in the stack using XOR (stack strings technique) and restored at runtime:<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172540\/beatbanker-miner3.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119126\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172540\/beatbanker-miner3.png\" alt=\"\" width=\"1681\" height=\"465\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172540\/beatbanker-miner3.png 1681w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172540\/beatbanker-miner3-300x83.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172540\/beatbanker-miner3-1024x283.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172540\/beatbanker-miner3-768x212.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172540\/beatbanker-miner3-1536x425.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172540\/beatbanker-miner3-1265x350.png 1265w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172540\/beatbanker-miner3-740x205.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172540\/beatbanker-miner3-1012x280.png 1012w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172540\/beatbanker-miner3-800x221.png 800w\" sizes=\"auto, (max-width: 1681px) 100vw, 1681px\"><\/a><\/p>\n<p>Initially, the loader makes a request to collect some network information using https:\/\/ipapi.is to determine whether the infected device is a mobile device, if a VPN is being used, and to obtain the IP address and other details.<\/p>\n<p>This loader is engineered to bypass mobile antivirus products by utilizing dalvik.system.InMemoryDexClassLoader. It loads malicious DEX code directly into memory, avoiding the creation of any files on the device\u2019s file system. The necessary DEX files can be extracted using dynamic analysis tools like Frida.<\/p>\n<p>Furthermore, the sample incorporates anti-analysis techniques, including runtime checks for emulated or analysis environments. When such an environment is detected (or when specific checks fail, such as verification of the supported CPU_ABI), the malware can immediately terminate its own process by invoking <code>android.os.Process.killProcess(android.os.Process.myPid())<\/code>, effectively self-destructing to hinder dynamic analysis.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172731\/beatbanker-miner4-scaled.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119127\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172731\/beatbanker-miner4-scaled.png\" alt=\"\" width=\"3922\" height=\"1626\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172731\/beatbanker-miner4-scaled.png 3922w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172731\/beatbanker-miner4-300x124.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172731\/beatbanker-miner4-1024x425.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172731\/beatbanker-miner4-768x318.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172731\/beatbanker-miner4-1536x637.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172731\/beatbanker-miner4-2048x849.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172731\/beatbanker-miner4-844x350.png 844w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172731\/beatbanker-miner4-740x307.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172731\/beatbanker-miner4-675x280.png 675w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172731\/beatbanker-miner4-800x332.png 800w\" sizes=\"auto, (max-width: 3922px) 100vw, 3922px\"><\/a><\/p>\n<p>After execution, the malware displays a user interface that mimics the Google Play Store page, showing an update available for the INSS Reembolso app. This is intended to trick victims into granting installation permissions by tapping the \u201cUpdate\u201d button, which allows the download of additional hidden malicious payloads.<\/p>\n<p>The payload delivery process mimics the application update. The malware uses the REQUEST_INSTALL_PACKAGES permission to install APK files directly into its memory, bypassing Google Play. To ensure persistence, the malware keeps a notification about a system update pinned to the foreground and activates a foreground service with silent media playback, a tactic designed to prevent the operating system from terminating the malicious process.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172844\/beatbanker-miner5.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119128\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172844\/beatbanker-miner5.png\" alt=\"\" width=\"1058\" height=\"840\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172844\/beatbanker-miner5.png 1058w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172844\/beatbanker-miner5-300x238.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172844\/beatbanker-miner5-1024x813.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172844\/beatbanker-miner5-768x610.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172844\/beatbanker-miner5-441x350.png 441w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172844\/beatbanker-miner5-740x588.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172844\/beatbanker-miner5-353x280.png 353w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06172844\/beatbanker-miner5-800x635.png 800w\" sizes=\"auto, (max-width: 1058px) 100vw, 1058px\"><\/a><\/p>\n<h2 id=\"crypto-mining\">Crypto mining<\/h2>\n<p>When <code>UPDATE<\/code> is clicked on a fake Play Store screen, the malicious application downloads and executes an ELF file containing a cryptomining payload. It starts by issuing a GET request to the C2 server at either <code>hxxps:\/\/accessor.fud2026.com\/libmine-&lt;arch&gt;.so<\/code> or <code>hxxps:\/\/fud2026.com\/libmine-&lt;arch&gt;.so<\/code>. The downloaded file is then decrypted using <code>CipherInputStream()<\/code>, with the decryption key being derived from the SHA-1 hash of the downloaded file\u2019s name, ensuring that each version of the file is encrypted with a unique key. The resulting file is renamed <code>d-miner<\/code>.<\/p>\n<p>The decrypted payload is an ARM-compiled XMRig 6.17.0 binary. At runtime, it attempts to create a direct TCP connection to <code>pool.fud2026[.]com:9000<\/code>. If successful, it uses this endpoint; otherwise, it automatically switches to the proxy endpoint <code>pool-proxy.fud2026[.]com:9000<\/code>. The final command-line arguments passed to XMRig are as follows:<\/p>\n<ul>\n<li><code>-o pool.fud2026[.]com:9000 or pool-proxy.fud2026[.]com:9000<\/code> (selected dynamically)<\/li>\n<li><code>-k<\/code> (keepalive)<\/li>\n<li><code>--tls<\/code> (encrypted connection)<\/li>\n<li><code>--no-color<\/code> (disable colored output)<\/li>\n<li><code>--nicehash<\/code> (NiceHash protocol support)<\/li>\n<\/ul>\n<h3><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173243\/beatbanker-miner6.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119129\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173243\/beatbanker-miner6.png\" alt=\"\" width=\"1439\" height=\"292\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173243\/beatbanker-miner6.png 1439w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173243\/beatbanker-miner6-300x61.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173243\/beatbanker-miner6-1024x208.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173243\/beatbanker-miner6-768x156.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173243\/beatbanker-miner6-740x150.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173243\/beatbanker-miner6-1380x280.png 1380w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173243\/beatbanker-miner6-800x162.png 800w\" sizes=\"auto, (max-width: 1439px) 100vw, 1439px\"><\/a><\/h3>\n<h3 id=\"c2-telemetry\">C2 telemetry<\/h3>\n<p>The malware uses Google\u2019s legitimate <a href=\"https:\/\/firebase.google.com\/docs\/cloud-messaging\" target=\"_blank\" rel=\"noopener\">Firebase Cloud Messaging (FCM)<\/a> as its primary command\u2011and\u2011control (C2) channel. In the analyzed sample, each FCM message received triggers a check of the battery status, temperature, installation date, and user presence. A hidden cryptocurrency miner is then started or stopped as needed. These mechanisms ensure that infected devices remain permanently accessible and responsive to the attacker\u2019s instructions, which are sent through the FCM infrastructure. The attacker monitors the following information:<\/p>\n<ul>\n<li><strong>isCharging<\/strong>: indicates whether the phone is charging;<\/li>\n<li><strong>batteryLevel<\/strong>: the exact battery percentage;<\/li>\n<li><strong>isRecentInstallation<\/strong>: indicates whether the application was recently installed (if so, the implant delays malicious actions);<\/li>\n<li><strong>isUserAway<\/strong>: indicates whether the user is away from the device (screen off and inactive);<\/li>\n<li><strong>overheat<\/strong>: indicates whether the device is overheating;<\/li>\n<li><strong>temp<\/strong>: the current battery temperature.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173332\/beatbanker-miner7.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119130\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173332\/beatbanker-miner7.png\" alt=\"\" width=\"1052\" height=\"176\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173332\/beatbanker-miner7.png 1052w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173332\/beatbanker-miner7-300x50.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173332\/beatbanker-miner7-1024x171.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173332\/beatbanker-miner7-768x128.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173332\/beatbanker-miner7-740x124.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173332\/beatbanker-miner7-800x134.png 800w\" sizes=\"auto, (max-width: 1052px) 100vw, 1052px\"><\/a><\/p>\n<h3 id=\"persistence\">Persistence<\/h3>\n<p>The <code>KeepAliveServiceMediaPlayback<\/code> component ensures continuous operation by initiating uninterrupted playback via <code>MediaPlayer<\/code>. It keeps the service active in the foreground using a notification and loads a small, continuous audio file. This constant activity prevents the system from suspending or terminating the process due to inactivity.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173502\/beatbanker-miner8.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119131\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173502\/beatbanker-miner8.png\" alt=\"\" width=\"2030\" height=\"218\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173502\/beatbanker-miner8.png 2030w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173502\/beatbanker-miner8-300x32.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173502\/beatbanker-miner8-1024x110.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173502\/beatbanker-miner8-768x82.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173502\/beatbanker-miner8-1536x165.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173502\/beatbanker-miner8-740x79.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173502\/beatbanker-miner8-1600x172.png 1600w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173502\/beatbanker-miner8-800x86.png 800w\" sizes=\"auto, (max-width: 2030px) 100vw, 2030px\"><\/a><\/p>\n<p>The identified audio <code>output8.mp3<\/code> is five seconds long and plays on a loop. It contains some Chinese words.<\/p>\n<h2 id=\"banking-module\">Banking module<\/h2>\n<p>BeatBanker compromises the machine with a cryptocurrency miner and introduces another malicious APK that acts as a banking Trojan. This Trojan uses previously obtained permission to install an additional APK called <em>INSS Reebolso<\/em>, which is associated with the package <em>com.destination.cosmetics<\/em>.<\/p>\n<p>Similar to the initial malicious APK, it establishes persistence by creating and displaying a fixed notification in the foreground to hinder removal. Furthermore, BeatBanker attempts to trick the user into granting accessibility permissions to the package.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173551\/beatbanker-miner9.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119132\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173551\/beatbanker-miner9.png\" alt=\"\" width=\"1063\" height=\"801\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173551\/beatbanker-miner9.png 1063w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173551\/beatbanker-miner9-300x226.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173551\/beatbanker-miner9-1024x772.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173551\/beatbanker-miner9-768x579.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173551\/beatbanker-miner9-200x150.png 200w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173551\/beatbanker-miner9-464x350.png 464w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173551\/beatbanker-miner9-740x558.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173551\/beatbanker-miner9-372x280.png 372w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173551\/beatbanker-miner9-800x603.png 800w\" sizes=\"auto, (max-width: 1063px) 100vw, 1063px\"><\/a><\/p>\n<p>Leveraging the acquired accessibility permissions, the malware establishes comprehensive control over the device\u2019s user interface.<\/p>\n<p>The Trojan constantly monitors the foreground application. It targets the official Binance application (<code>com.binance.dev<\/code>) and the Trust Wallet application (<code>com.wallet.crypto.trustapp<\/code>), focusing on USDT transactions. When a user tries to withdraw USDT, the Trojan instantly overlays the target app\u2019s transaction confirmation screen with a highly realistic page sourced from Base64-encoded HTML stored in the banking module.<\/p>\n<p>The module captures the original withdrawal address and amount, then surreptitiously substitutes the destination address with an attacker-controlled one using <code>AccessibilityNodeInfo.ACTION_SET_TEXT<\/code>. The overlay page shows the victim the address they copied (for Binance) or just shows a loading icon (for Trust Wallet), leading them to believe they are remitting funds to the intended wallet when, in fact, the cryptocurrency is transferred to the attacker\u2019s designated address.<\/p>\n<div id=\"attachment_119133\" style=\"width: 1315px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173643\/beatbanker-miner10.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119133\" class=\"size-full wp-image-119133\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173643\/beatbanker-miner10.png\" alt=\"Fake overlay pages: Binance (left) and Trust Wallet (right)\" width=\"1305\" height=\"605\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173643\/beatbanker-miner10.png 1305w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173643\/beatbanker-miner10-300x139.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173643\/beatbanker-miner10-1024x475.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173643\/beatbanker-miner10-768x356.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173643\/beatbanker-miner10-755x350.png 755w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173643\/beatbanker-miner10-740x343.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173643\/beatbanker-miner10-604x280.png 604w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173643\/beatbanker-miner10-800x371.png 800w\" sizes=\"auto, (max-width: 1305px) 100vw, 1305px\"><\/a><\/p>\n<p id=\"caption-attachment-119133\" class=\"wp-caption-text\">Fake overlay pages: Binance (left) and Trust Wallet (right)<\/p>\n<\/div>\n<h3 id=\"target-browsers\">Target browsers<\/h3>\n<p>BeatBanker\u2019s banking module monitors the following browsers installed on the victim\u2019s device:<\/p>\n<ul>\n<li>Chrome<\/li>\n<li>Firefox<\/li>\n<li>sBrowser<\/li>\n<li>Brave<\/li>\n<li>Opera<\/li>\n<li>DuckDuckGo<\/li>\n<li>Dolphin Browser<\/li>\n<li>Edge<\/li>\n<\/ul>\n<p>Its aim is to collect the URLs accessed by the victim using the regular expression <code>^(?:https?:\/\/)?(?:[^:\/\\\\]+\\\\.)?([^:\/\\\\]+\\\\.[^:\/\\\\]+)<\/code>. It also offers management functionalities (add, edit, delete, list) for links saved in the device\u2019s default browser, as well as the ability to open links provided by the attacker.<\/p>\n<h3 id=\"c2-communication\">C2 communication<\/h3>\n<p>BeatBanker is also designed to receive commands from the C2. These commands aim to collect the victim\u2019s personal information and gain complete control of the device.<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Command<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>0<\/td>\n<td>Starts dynamic loading of the DEX class<\/td>\n<\/tr>\n<tr>\n<td>Update<\/td>\n<td>Simulates software update and locks the screen<\/td>\n<\/tr>\n<tr>\n<td>msg:<\/td>\n<td>Displays a Toast message with the provided text<\/td>\n<\/tr>\n<tr>\n<td>goauth&lt;*&gt;<\/td>\n<td>Opens Google Authenticator (if installed) and enables the <code>AccessService.SendGoogleAuth<\/code> flag used to monitor and retrieve authentication codes<\/td>\n<\/tr>\n<tr>\n<td>kill&lt;*&gt;<\/td>\n<td>Sets the protection bypass flag <code>AccessService.bypass<\/code> to \u201cTrue\u201d<br \/>\nand sets the <code>initializeService.uninstall<\/code> flag to \u201cOff\u201d<\/td>\n<\/tr>\n<tr>\n<td>srec&lt;*&gt;<\/td>\n<td>Starts or stops audio recording (microphone), storing the recorded data in a file with an automatically generated filename. The following path format is used to store the recording: <code>\/Config\/sys\/apps\/rc\/&lt;timestamp&gt;_0REC&lt;last5digits&gt;.wav<\/code><\/td>\n<\/tr>\n<tr>\n<td>pst&lt;*&gt;<\/td>\n<td>Pastes text from the clipboard (via Accessibility Services)<\/td>\n<\/tr>\n<tr>\n<td>GRC&lt;*&gt;<\/td>\n<td>Lists all existing audio recording files<\/td>\n<\/tr>\n<tr>\n<td>gtrc&lt;*&gt;<\/td>\n<td>Sends a specific audio recording file to the C2<\/td>\n<\/tr>\n<tr>\n<td>lcm&lt;*&gt;<\/td>\n<td>Lists supported front camera resolutions<\/td>\n<\/tr>\n<tr>\n<td>usdtress&lt;*&gt;<\/td>\n<td>Sets a USDT cryptocurrency address when a transaction is detected<\/td>\n<\/tr>\n<tr>\n<td>lnk&lt;*&gt;<\/td>\n<td>Opens a link in the browser<\/td>\n<\/tr>\n<tr>\n<td>EHP&lt;*&gt;<\/td>\n<td>Updates login credentials (host, port, name) and restarts the application<\/td>\n<\/tr>\n<tr>\n<td>ssms&lt;*&gt;<\/td>\n<td>Sends an SMS message (individually or to all contacts)<\/td>\n<\/tr>\n<tr>\n<td>CRD&lt;*&gt;<\/td>\n<td>Adds (E&gt;) or removes (D&gt;) packages from the list of blocked\/disabled applications<\/td>\n<\/tr>\n<tr>\n<td>SFD&lt;*&gt;<\/td>\n<td>Deletes files (logs, recordings, tones) or uninstalls itself<\/td>\n<\/tr>\n<tr>\n<td>adm&lt;&gt;lck&lt;&gt;<\/td>\n<td>Immediately locks the screen using Device Administrator permissions<\/td>\n<\/tr>\n<tr>\n<td>adm&lt;&gt;wip&lt;&gt;<\/td>\n<td>Performs a complete device data wipe (factory reset)<\/td>\n<\/tr>\n<tr>\n<td>Aclk&lt;*&gt;<\/td>\n<td>Executes a sequence of automatic taps (auto-clicker) or lists existing macros<\/td>\n<\/tr>\n<tr>\n<td>KBO&lt;*&gt;lod<\/td>\n<td>Checks the status of the keylogger and virtual keyboard<\/td>\n<\/tr>\n<tr>\n<td>KBO&lt;*&gt;AKP\/AKA<\/td>\n<td>Requests permission to activate a custom virtual keyboard or activates one<\/td>\n<\/tr>\n<tr>\n<td>KBO&lt;*&gt;ENB:<\/td>\n<td>Enables (1) or disables (0) the keylogger<\/td>\n<\/tr>\n<tr>\n<td>RPM&lt;*&gt;lod<\/td>\n<td>Checks the status of all critical permissions<\/td>\n<\/tr>\n<tr>\n<td>RPM&lt;*&gt;ACC<\/td>\n<td>Requests Accessibility Services permission<\/td>\n<\/tr>\n<tr>\n<td>RPM&lt;*&gt;DOZ<\/td>\n<td>Requests Doze\/App Standby permission (battery optimization)<\/td>\n<\/tr>\n<tr>\n<td>RPM&lt;*&gt;DRW<\/td>\n<td>Requests Draw Over Other Apps permission (overlay)<\/td>\n<\/tr>\n<tr>\n<td>RPM&lt;*&gt;INST<\/td>\n<td>Requests permission to install apps from unknown sources (Android 8+)<\/td>\n<\/tr>\n<tr>\n<td>ussd&lt;*&gt;<\/td>\n<td>Executes a USSD code (e.g., *#06# for IMEI)<\/td>\n<\/tr>\n<tr>\n<td>Blkt&lt;*&gt;<\/td>\n<td>Sets the text for the lock overlay<\/td>\n<\/tr>\n<tr>\n<td>BLKV&lt;*&gt;<\/td>\n<td>Enables or disables full-screen lock using <code>WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY<\/code> to display a black <code>FrameLayout<\/code> element over the entire screen<\/td>\n<\/tr>\n<tr>\n<td>SCRD&lt;&gt; \/ SCRD2&lt;&gt;<\/td>\n<td>Enables\/disables real-time screen text submission to the C2 (screen reading)<\/td>\n<\/tr>\n<tr>\n<td>rdall&lt;*&gt;<\/td>\n<td>Clears or sends all keylogger logs<\/td>\n<\/tr>\n<tr>\n<td>rdd&lt;*&gt;<\/td>\n<td>Deletes a specific log file<\/td>\n<\/tr>\n<tr>\n<td>rd&lt;*&gt;<\/td>\n<td>Sends the content of a specific keylogger file<\/td>\n<\/tr>\n<tr>\n<td>MO&lt;*&gt;<\/td>\n<td>Manages application monitoring (add, remove, list, screenshot, etc.)<\/td>\n<\/tr>\n<tr>\n<td>FW&lt;*&gt;<\/td>\n<td>Controls VPN and firewall (status, block\/allow apps, enable\/disable)<\/td>\n<\/tr>\n<tr>\n<td>noti&lt;*&gt;<\/td>\n<td>Creates persistent and custom notifications<\/td>\n<\/tr>\n<tr>\n<td>sp&lt;*&gt;<\/td>\n<td>Executes a sequence of swipes\/taps (gesture macro)<\/td>\n<\/tr>\n<tr>\n<td>lodp&lt;*&gt;<\/td>\n<td>Manages saved links in the internal browser (add, edit, delete, list)<\/td>\n<\/tr>\n<tr>\n<td>scc:<\/td>\n<td>Starts screen capture\/streaming<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"new-beatbanker-samples-dropping-btmob\">New BeatBanker samples dropping BTMOB<\/h2>\n<p>Our recent detection efforts uncovered a campaign leveraging a fraudulent StarLink application that we assess as being a new BeatBanker variant. The infection chain mirrored previous instances, employing identical persistence methods \u2013 specifically, looped audio and fixed notifications. Furthermore, this variant included a crypto miner similar to those seen previously. However, rather than deploying the banking module, it was observed distributing the BTMOB remote administration tool.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173926\/beatbanker-miner11.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119134\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173926\/beatbanker-miner11.png\" alt=\"\" width=\"864\" height=\"694\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173926\/beatbanker-miner11.png 864w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173926\/beatbanker-miner11-300x241.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173926\/beatbanker-miner11-768x617.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173926\/beatbanker-miner11-436x350.png 436w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173926\/beatbanker-miner11-740x594.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173926\/beatbanker-miner11-349x280.png 349w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06173926\/beatbanker-miner11-800x643.png 800w\" sizes=\"auto, (max-width: 864px) 100vw, 864px\"><\/a><\/p>\n<p>The BTMOB APK is highly obfuscated and contains a class responsible for configuration. Despite this, it\u2019s possible to identify a parser used to define the application\u2019s behavior on the device, as well as persistence features, such as protection against restart, deletion, lock reset, and the ability to perform real-time screen recording.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174006\/beatbanker-miner12.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119135\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174006\/beatbanker-miner12.png\" alt=\"\" width=\"755\" height=\"653\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174006\/beatbanker-miner12.png 755w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174006\/beatbanker-miner12-300x259.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174006\/beatbanker-miner12-405x350.png 405w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174006\/beatbanker-miner12-740x640.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174006\/beatbanker-miner12-324x280.png 324w\" sizes=\"auto, (max-width: 755px) 100vw, 755px\"><\/a><\/p>\n<h3 id=\"string-decryption\">String decryption<\/h3>\n<p>The simple decryption routine uses repetitive XOR between the encrypted data and a short key. It iterates through the encrypted text byte by byte, repeating the key from the beginning whenever it reaches the end. At each position, the sample XORs the encrypted byte with the corresponding byte of the key, overwriting the original. Ultimately, the modified byte array contains the original text, which is then converted to UTF-8 and returned as a string.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174045\/beatbanker-miner13.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119136\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174045\/beatbanker-miner13.png\" alt=\"\" width=\"992\" height=\"374\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174045\/beatbanker-miner13.png 992w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174045\/beatbanker-miner13-300x113.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174045\/beatbanker-miner13-768x290.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174045\/beatbanker-miner13-990x374.png 990w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174045\/beatbanker-miner13-928x350.png 928w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174045\/beatbanker-miner13-740x279.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174045\/beatbanker-miner13-743x280.png 743w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174045\/beatbanker-miner13-800x302.png 800w\" sizes=\"auto, (max-width: 992px) 100vw, 992px\"><\/a><\/p>\n<h3 id=\"malware-as-a-service\">Malware-as-a-Service<\/h3>\n<p>BTMOB is an Android remote administration tool that evolved from the <a href=\"https:\/\/www.group-ib.com\/blog\/craxs-rat-malware\/\" target=\"_blank\" rel=\"noopener\">CraxsRAT<\/a>, <a href=\"https:\/\/www.cyfirma.com\/research\/unmasking-evlf-dev-the-creator-of-cypherrat-and-craxsrat\/\" target=\"_blank\" rel=\"noopener\">CypherRAT<\/a>, and SpySolr families. It provides full remote control of the victim\u2019s device and is sold in a Malware-as-a-Service (MaaS) model. On July 26, 2025, a threat actor posted a screenshot of the BTMOB RAT in action on GitHub under the username \u201cbrmobrats\u201d, along with a link to the website btmob[.]xyz. The website contains information about the BTMOB RAT, including its version history, features, and other relevant details. It also redirects to a Telegram contact. Cyfirma has already linked this account to CraxsRAT and CypherRAT.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10090011\/beatbanker-miner-14.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10090011\/beatbanker-miner-14.png\" alt=\"\" width=\"938\" height=\"1000\" class=\"aligncenter size-full wp-image-119150\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10090011\/beatbanker-miner-14.png 938w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10090011\/beatbanker-miner-14-281x300.png 281w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10090011\/beatbanker-miner-14-768x819.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10090011\/beatbanker-miner-14-328x350.png 328w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10090011\/beatbanker-miner-14-740x789.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10090011\/beatbanker-miner-14-263x280.png 263w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10090011\/beatbanker-miner-14-800x853.png 800w\" sizes=\"auto, (max-width: 938px) 100vw, 938px\"><\/a><\/p>\n<p>Recently, a YouTube channel was created by a different threat actor that features videos demonstrating how to use the malware and facilitate its sale via Telegram.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10085957\/beatbanker-miner-15.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10085957\/beatbanker-miner-15.png\" alt=\"\" width=\"1001\" height=\"507\" class=\"aligncenter size-full wp-image-119149\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10085957\/beatbanker-miner-15.png 1001w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10085957\/beatbanker-miner-15-300x152.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10085957\/beatbanker-miner-15-768x389.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10085957\/beatbanker-miner-15-691x350.png 691w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10085957\/beatbanker-miner-15-740x375.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10085957\/beatbanker-miner-15-553x280.png 553w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10085957\/beatbanker-miner-15-800x405.png 800w\" sizes=\"auto, (max-width: 1001px) 100vw, 1001px\"><\/a><\/p>\n<p>We also saw the distribution and sale of leaked BTMOB source code on some dark web forums. This may suggest that the creator of BeatBanker acquired BTMOB from its original author or the source of the leak and is utilizing it as the final payload, replacing the banking module observed in the INSS Reebolso incident.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174254\/beatbanker-miner16.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119139\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174254\/beatbanker-miner16.png\" alt=\"\" width=\"1600\" height=\"862\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174254\/beatbanker-miner16.png 1600w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174254\/beatbanker-miner16-300x162.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174254\/beatbanker-miner16-1024x552.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174254\/beatbanker-miner16-768x414.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174254\/beatbanker-miner16-1536x828.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174254\/beatbanker-miner16-650x350.png 650w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174254\/beatbanker-miner16-740x399.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174254\/beatbanker-miner16-520x280.png 520w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174254\/beatbanker-miner16-800x431.png 800w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\"><\/a><\/p>\n<p>In terms of functionality, BTMOB maintains a set of intrusive capabilities, including: automatic granting of permissions, especially on Android 13\u201315 devices; use of a black <code>FrameLayout<\/code> overlay to hide system notifications similar to the one observed in the banking module; silent installation; persistent background execution; and mechanisms designed to capture screen lock credentials, including PINs, patterns, and passwords. The malware also provides access to front and rear cameras, captures keystrokes in real time, monitors GPS location, and constantly collects sensitive data. Together, these functionalities provide the operator with comprehensive remote control, persistent access, and extensive surveillance capabilities over compromised devices.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174333\/beatbanker-miner17.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119140\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174333\/beatbanker-miner17.png\" alt=\"\" width=\"782\" height=\"453\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174333\/beatbanker-miner17.png 782w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174333\/beatbanker-miner17-300x174.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174333\/beatbanker-miner17-768x445.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174333\/beatbanker-miner17-604x350.png 604w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174333\/beatbanker-miner17-740x429.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/06174333\/beatbanker-miner17-483x280.png 483w\" sizes=\"auto, (max-width: 782px) 100vw, 782px\"><\/a><\/p>\n<h2 id=\"victims\">Victims<\/h2>\n<p>All variants of BeatBanker \u2013 those with the banking module and those with the BTMOB RAT \u2013 were detected on victims in Brazil. Some of the samples that deliver BTMOB appear to use WhatsApp to spread, as well as phishing pages.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>BeatBanker is an excellent example of how mobile threats are becoming more sophisticated and multi-layered. Initially focused in Brazil, this Trojan operates a dual campaign, acting as a Monero cryptocurrency miner, discreetly draining your device\u2019s battery life while also stealing banking credentials and tampering with cryptocurrency transactions. Moreover, the most recent version goes even further, substituting the banking module with a full-fledged BTMOB RAT.<\/p>\n<p>The attackers have devised inventive tricks to maintain persistence. They keep the process alive by looping an almost inaudible audio track, which prevents the operating system from terminating it and allows BeatBanker to remain active for extended periods.<\/p>\n<p>Furthermore, the threat demonstrates an obsession with staying hidden. It monitors device usage, battery level and temperature. It even uses Google\u2019s legitimate system (FCM) to receive commands. The threat\u2019s banking module is capable of overlaying Binance and Trust Wallet screens and diverting USDT funds to the criminals\u2019 wallets before the victim even notices.<\/p>\n<p>The lesson here is clear: distrust is your best defense. BeatBanker spreads through fake websites that mimic Google Play, disguising itself as trustworthy government applications. To protect yourself against threats like this, it is essential to:<\/p>\n<ol>\n<li><strong>Download apps only from official sources.<\/strong> Always use the Google Play Store or the device vendor\u2019s official app store. Make sure you use the correct app store app, and verify the developer.<\/li>\n<li><strong>Check permissions.<\/strong> Pay attention to the permissions that applications request, especially those related to accessibility and installation of third-party packages.<\/li>\n<li><strong>Keep the system updated.<\/strong> Security updates for Android and your mobile antivirus are essential.<\/li>\n<\/ol>\n<p>Our solutions detect this threat as <code>HEUR:Trojan-Dropper.AndroidOS.BeatBanker<\/code> and <code>HEUR:Trojan-Dropper.AndroidOS.Banker<\/code>.*<\/p>\n<h2 id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<p><em>Additional IoCs, TTPs and detection rules are available to customers of our <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/services?icid=gl_sl_ti-lnk_sm-team_63057f3138f7f09f#threat-intelligence\" target=\"_blank\" rel=\"noopener\">Threat Intelligence Reporting service<\/a>. For more details, contact us at <a href=\"mailto:crimewareintel@kaspersky.com\">crimewareintel@kaspersky.com<\/a>.<\/em><\/p>\n<p><strong>Host-based (MD5 hashes)<br \/>\n<\/strong><a href=\"https:\/\/opentip.kaspersky.com\/f6c979198809e13859196b135d21e79b\/?icid=gl_sl_opentip-lnk_sm-team_42fecaeccf2aca58&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">F6C979198809E13859196B135D21E79B<\/a> \u2013 INSS Reebolso<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d3005bf1d52b40b0b72b3c3b1773336b\/?icid=gl_sl_opentip-lnk_sm-team_d357d08cd173faec&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">D3005BF1D52B40B0B72B3C3B1773336B<\/a> \u2013 StarLink<\/p>\n<p><strong>Domains<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/cupomgratisfood.shop\/?icid=gl_sl_opentip-lnk_sm-team_3e11ac4ef6d5196e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">cupomgratisfood[.]shop<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/fud2026.com\/?icid=gl_sl_opentip-lnk_sm-team_1d480870295b8626&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">fud2026[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/accessor.fud2026.com\/?icid=gl_sl_opentip-lnk_sm-team_4622a10cc3ca31d7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">accessor.fud2026[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/pool.fud2026.com\/?icid=gl_sl_opentip-lnk_sm-team_aec080dc8d4e9269&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">pool.fud2026[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/pool-proxy.fud2026.com\/?icid=gl_sl_opentip-lnk_sm-team_5ccbeb2d4df320be&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">pool-proxy.fud2026[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/aptabase.fud2026.com\/?icid=gl_sl_opentip-lnk_sm-team_dc8766382d106ee5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">aptabase.fud2026[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/aptabase.khwdji319.xyz\/?icid=gl_sl_opentip-lnk_sm-team_0c22d12f2bbe43de&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">aptabase.khwdji319[.]xyz<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/btmob.xyz\/?icid=gl_sl_opentip-lnk_sm-team_c1df95a0ae9b488a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">btmob[.]xyz<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/bt-mob.net\/?icid=gl_sl_opentip-lnk_sm-team_90e102d85de1d6f7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">bt-mob[.]net<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Recently, we uncovered BeatBanker, an Android\u2011based malware campaign targeting Brazil. It spreads primarily through phishing attacks via a website disguised as the Google Play Store. To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking Trojan capable of completely hijacking the device and spoofing screens, among other things. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[799,800,90,662,248,99,232,233,324,664,670,587,236,235],"tags":[91],"class_list":["post-1803","post","type-post","status-publish","format-standard","hentry","category-beatbanker","category-btmob-rat","category-cybersecurity","category-google-android","category-great-research","category-malware","category-malware-descriptions","category-malware-technologies","category-miner","category-mobile-malware","category-mobile-threats","category-rat","category-trojan","category-trojan-banker","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>BeatBanker: A dual\u2011mode Android Trojan - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BeatBanker: A dual\u2011mode Android Trojan - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Recently, we uncovered BeatBanker, an Android\u2011based malware campaign targeting Brazil. It spreads primarily through phishing attacks via a website disguised as the Google Play Store. To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking Trojan capable of completely hijacking the device and spoofing screens, among other things. [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-10T11:04:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10080849\/SL-BeatBanker-featured-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"BeatBanker: A dual\u2011mode Android Trojan\",\"datePublished\":\"2026-03-10T11:04:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/\"},\"wordCount\":2732,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10080849\/SL-BeatBanker-featured-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"BeatBanker\",\"BTMOB RAT\",\"Cybersecurity\",\"Google Android\",\"GReAT research\",\"Malware\",\"Malware descriptions\",\"Malware Technologies\",\"Miner\",\"Mobile Malware\",\"Mobile threats\",\"RAT\",\"Trojan\",\"Trojan Banker\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/\",\"name\":\"BeatBanker: A dual\u2011mode Android Trojan - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10080849\/SL-BeatBanker-featured-990x400.jpg\",\"datePublished\":\"2026-03-10T11:04:13+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10080849\/SL-BeatBanker-featured-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10080849\/SL-BeatBanker-featured-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BeatBanker: A dual\u2011mode Android Trojan\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BeatBanker: A dual\u2011mode Android Trojan - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/","og_locale":"en_US","og_type":"article","og_title":"BeatBanker: A dual\u2011mode Android Trojan - Imperative Business Ventures Limited","og_description":"Recently, we uncovered BeatBanker, an Android\u2011based malware campaign targeting Brazil. It spreads primarily through phishing attacks via a website disguised as the Google Play Store. To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking Trojan capable of completely hijacking the device and spoofing screens, among other things. [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-03-10T11:04:13+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10080849\/SL-BeatBanker-featured-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"BeatBanker: A dual\u2011mode Android Trojan","datePublished":"2026-03-10T11:04:13+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/"},"wordCount":2732,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10080849\/SL-BeatBanker-featured-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["BeatBanker","BTMOB RAT","Cybersecurity","Google Android","GReAT research","Malware","Malware descriptions","Malware Technologies","Miner","Mobile Malware","Mobile threats","RAT","Trojan","Trojan Banker"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/","name":"BeatBanker: A dual\u2011mode Android Trojan - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10080849\/SL-BeatBanker-featured-990x400.jpg","datePublished":"2026-03-10T11:04:13+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10080849\/SL-BeatBanker-featured-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/03\/10080849\/SL-BeatBanker-featured-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/10\/beatbanker-a-dual-mode-android-trojan\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"BeatBanker: A dual\u2011mode Android Trojan"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=1803"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1803\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=1803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=1803"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=1803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}